kolan
/
Redmine
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixed back url verification (#16466). 

git-svn-id: http://svn.redmine.org/redmine/trunk@13018 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2014-03-29 14:32:47 +00:00
parent cecbb225a2
commit 7567c3d8b2
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/application_controller.rb
View File

@ -379,7 +379,7 @@ class ApplicationController < ActionController::Base
begin begin
uri = URI.parse(back_url) uri = URI.parse(back_url)
# do not redirect user to another host or to the login or register page # do not redirect user to another host or to the login or register page
if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) if ((uri.relative? && back_url.match(%r{\A/\w})) || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
redirect_to(back_url) redirect_to(back_url)
return return
end end

10
test/functional/account_controller_test.rb
View File

@ -66,8 +66,14 @@ class AccountControllerTest < ActionController::TestCase
end end
def test_login_should_not_redirect_to_another_host def test_login_should_not_redirect_to_another_host
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake' back_urls = [
assert_redirected_to '/my/page' 'http://test.foo/fake',
'//test.foo/fake'
]
back_urls.each do |back_url|
post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
assert_redirected_to '/my/page'
end
end end
def test_login_with_wrong_password def test_login_with_wrong_password